HyPoRes: An Hybrid Representation System for ECC P. Martins 1 J. - PowerPoint PPT Presentation

HyPoRes: An Hybrid Representation System for ECC P. Martins 1 J. Marrez 2 J.-C. Bajard 2 L. Sousa 1 1 INESC-ID, Instituto Superior Técnico, Univ. Lisboa 2 Sorbonnes Université, CNRS, LIP6, Paris, France 26th IEEE Symposium on Computer Arithmetic

Acknowledgement This work was partially supported by Portuguese funds through Fundação para a Ciência e a Tecnologia (FCT) with reference UID/CEC/50021/2019 and by the Ph.D. grant with reference SFRH/BD/103791/2014; by the ANR grant ARRAND 15-CE39-0002-01; through the Pessoa/Hubert Curien programme with reference 4335 (FCT)/40832XC (CAMPUSFRANCE); and by EU’s Horizon 2020 research and innovation programme under grant agreement No. 779391 (FutureTPM).

Table of Contents Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Elliptic Curve Cryptography Point addition of two points over an EC defined in R ◮ Security based on the difficulty of computing n from [ n ] P and P for curves defined over a finite field F P

Residue Number System Z B 1 . . . Z b 1 , 0 Z b 1 , 1 Z b 1 , h 1 − 1 RNS breaks arithmetic modulo B 1 = b 1 , 0 × . . . × b 1 , h 1 − 1 down to arithmetic modulo b 1 , 0 , . . . , b 1 , h 1 − 1

Bridging the Gap ◮ Montgomery Reduction ECC Operations Maps operations in F P to Z B 1 for any P with F P complexity of O (log 2 2 P ) ; ◮ Hybrid-Positional Residue P � = B 1 Number System (HPR) Uses P = B n 1 − β to reduce Z B 1 complexity to O (log 3 / 2 P ) . 2 RNS parallel arithmetic

Bridging the Gap ◮ Montgomery Reduction ECC Operations Maps operations in F P to Z B 1 for any P with F P complexity of O (log 2 2 P ) ; ◮ Hybrid-Positional Residue P � = B 1 Number System (HPR) Uses P = B n 1 − β to reduce Z B 1 complexity to O (log 3 / 2 P ) . 2 ◮ Does not work for RNS parallel arithmetic standardised primes

Table of Contents Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Montgomery Reduction A ∼ P 2 O ( h 1 h 2 ) Q 1 s.t. B 1 | A + Q 1 P Q 2 = Q 1 mod B 2 Q 1 = − AP − 1 mod B 1 O ( h 1 h 2 ) Z 2 = A + Q 1 P Z 1 = Z 2 mod B 1 small B 1 Complexity dominated by O ( h 1 h 2 ) with h 1 ∼ h 2 ∼ log 2 P

Hybrid-Positional Residue Number System B n − 1 + A ( 0 ) A ( 1 ) B 1 + . . . + A ( n − 1 ) 1 Z B 1 × Z B 2 ◮ D = A × C = D ( 0 ) + D ( 1 ) B 1 + . . . + D ( n − 1 ) B n − 1 1 + . . . + D ( 2 n − 2 ) B 2 n − 2 + D ( n ) B n 1 1

Hybrid-Positional Residue Number System B n − 1 + A ( 0 ) A ( 1 ) B 1 + . . . + A ( n − 1 ) 1 Z B 1 × Z B 2 ◮ D = A × C = D ( 0 ) + D ( 1 ) B 1 + . . . + D ( n − 1 ) B n − 1 1 + . . . + D ( 2 n − 2 ) B 2 n − 2 + D ( n ) B n 1 1 ◮ For P = B n 1 − β : D ( 0 ) + β D ( n ) � D ( 1 ) + β D ( n + 1 ) � B 1 + . . . + D ( n − 1 ) B n − 1 � � D ≡ + 1

Hybrid-Positional Residue Number System B n − 1 + A ( 0 ) A ( 1 ) B 1 + . . . + A ( n − 1 ) 1 Z B 1 × Z B 2 ◮ D = A × C = D ( 0 ) + D ( 1 ) B 1 + . . . + D ( n − 1 ) B n − 1 1 + . . . + D ( 2 n − 2 ) B 2 n − 2 + D ( n ) B n 1 1 ◮ For P = B n 1 − β : D ( 0 ) + β D ( n ) � D ( 1 ) + β D ( n + 1 ) � B 1 + . . . + D ( n − 1 ) B n − 1 � � D ≡ + 1 ◮ Perform carry propagation to reduce the digits magnitude

Carry Propagation O ( h 1 h 2 ) D ( i ) D ( i ) mod B 1 mod B 2 1 1 O ( h 1 h 2 ) = D ( i ) 2 − D ( i ) C ( i ) = C ( i ) C ( i ) mod B 1 1 1 2 2 B 1 D ( i ) = D ( i ) 2 1 D ( i + 1 ) = D ( i + 1 ) + C ( i ) D ( i + 1 ) = D ( i + 1 ) + C ( i ) 1 1 1 2 2 2 Complexity dominated by O ( n 2 ( h 1 + h 2 ) + nh 1 h 2 ) with nh 1 ∼ nh 2 ∼ log 2 P

Table of Contents Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Hybrid Polynomial-Residue Number System Z B 1 × Z B 2 + A ( 0 ) A ( 1 ) X + . . . + A ( n − 1 ) X n − 1 i = 0 A ( i ) γ i mod P a = �

Hybrid Polynomial-Residue Number System Z B 1 × Z B 2 + A ( 0 ) A ( 1 ) X + . . . + A ( n − 1 ) X n − 1 i = 0 A ( i ) γ i mod P a = � γ is the n- th root of a ⇒ X n − β ∼ = 0 small value β over F P

Hybrid Polynomial-Residue Number System γ is the n- th root of a ⇒ X n − β ∼ = 0 small value β over F P ◮ D = A × C = D ( 0 ) + D ( 1 ) X + . . . + D ( n − 1 ) X n − 1 + D ( n ) X n + . . . + D ( 2 n − 2 ) X 2 n − 2

Hybrid Polynomial-Residue Number System γ is the n- th root of a ⇒ X n − β ∼ = 0 small value β over F P ◮ D = A × C = D ( 0 ) + D ( 1 ) X + . . . + D ( n − 1 ) X n − 1 + D ( n ) X n + . . . + D ( 2 n − 2 ) X 2 n − 2 ◮ D ≡ D − ( D ( n ) + . . . + D ( 2 n − 2 ) X n − 2 ) × ( X n − β ) ≡ D ( 0 ) + β D ( n ) � D ( 1 ) + β D ( n + 1 ) � B 1 + . . . + D ( n − 1 ) B n − 1 � � + 1

Hybrid Polynomial-Residue Number System γ is the n- th root of a ⇒ X n − β ∼ = 0 small value β over F P ◮ D = A × C = D ( 0 ) + D ( 1 ) X + . . . + D ( n − 1 ) X n − 1 + D ( n ) X n + . . . + D ( 2 n − 2 ) X 2 n − 2 ◮ D ≡ D − ( D ( n ) + . . . + D ( 2 n − 2 ) X n − 2 ) × ( X n − β ) ≡ D ( 0 ) + β D ( n ) � D ( 1 ) + β D ( n + 1 ) � B 1 + . . . + D ( n − 1 ) B n − 1 � � + 1 ◮ Perform Montgomery reduction to reduce the digits magnitude

Hybrid Polynomial-Residue Number System ◮ Lattice L (Γ) of the representations of zero   P 0 . . . 0 − γ 1 . . . 0   Γ = . . .  ...  . . .   . . .   − γ n 0 . . . 1 ◮ Each line in Γ corresponds to either P = 0 mod P or − γ i + X i , which when evaluated at X = γ produces a value congruent with 0 ◮ Minskowski’s theorem guarantees that L (Γ) contains a nonzero vector M of norm at most ( det L (Γ)) 1 / n = P 1 / n

Hybrid Polynomial-Residue Number System A with large digits O ( nh 1 h 2 ) Q 1 s.t. B 1 | A + Q 1 ⋆ M Q 2 = Q 1 mod B 2 Q 1 = − A ⋆ M − 1 mod B 1 O ( nh 1 h 2 ) Z 2 = A + Q 1 ⋆ M Z 1 = Z 2 mod B 1 small B 1 ⋆ denotes multiplica- tion in Z [ X ] / ( X n − β ) Complexity dominated by O ( n 2 ( h 1 + h 2 ) + nh 1 h 2 ) with nh 1 ∼ nh 2 ∼ log 2 P

Table of Contents Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Experimental Results 5 4 Exec. Time [ µ s ] 3 2 1 0 P 383 ( P 384 ) P 448 ( P ′ 448 ) P 521 ( P 512 ) Pure-RNS HyPoRes HPR Average execution time of a pure-RNS and the proposed approaches for standardised primes, as well as of HPR with specially crafted primes on a i7-3770K

Table of Contents Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Protection against SCAs ◮ Choose γ as the root of E ( X ) = E ( 0 ) + . . . + E ( n − 1 ) X n − 1 + X n ◮ Operate over Z [ X ] / ( E ( X )) instead of Z [ X ] / ( X n − β ) ◮ Choose a E at random at the beginning of point multiplication ◮ Change representations throughout the execution of the algorithm by precomputing representations of γ i in the target system

Table of Contents Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Conclusion Better Performance Pure- HyPoRes HPR RNS Weaker Assumptions ◮ HyPoRes multiplication has subquadratic time complexity ◮ Montgomery reduction is slower than carry propagation so HyPoRes is slower than HPR, but works for any prime ◮ Redundant representations are possible, improving resistance against SCAs

Thank you! Any questions?